中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
polish
Pre-release code review - runs lint/type checks, then launches 3 parallel review agents to analyze the diff, synthesizes a unified report, and fixes with approval.
A legitimate pre-release code review skill that runs lint/type checks and parallel review agents against git diffs. No malicious behavior detected; all observed functionality aligns with documented purpose.
Skill Namepolish
Duration30.6s
Enginepi
Safe to install
No action needed. The skill is safe to use as a code review assistant.
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md: Reads every changed file fully before reviewing (Rule 1, Phase 2)
Shell NONE READ ✓ Aligned SKILL.md: Runs git diff, git diff --cached, git rev-parse, and project lint/type…
Skill Invoke NONE WRITE ✓ Aligned SKILL.md Phase 3: Launches 3 parallel Agent tool calls for review sub-tasks
Network NONE READ ✓ Aligned SKILL.md: Runs project validation commands which may make HTTP calls (e.g., fetc…
1 findings
🔗
Medium External URL 外部 URL
https://www.apache.org/licenses/
LICENSE.txt:3

File Tree

8 files · 33.9 KB · 853 lines
Shell 5f · 487L Text 1f · 162L Markdown 1f · 132L JSON 1f · 72L
├─ 📁 evals
│ ├─ 📁 fixtures
│ │ ├─ 📁 clean
│ │ │ └─ 🔧 setup.sh Shell 65L · 1.5 KB
│ │ ├─ 📁 cleanliness
│ │ │ └─ 🔧 setup.sh Shell 112L · 2.8 KB
│ │ ├─ 📁 design-reuse
│ │ │ └─ 🔧 setup.sh Shell 117L · 2.8 KB
│ │ ├─ 📁 efficiency
│ │ │ └─ 🔧 setup.sh Shell 105L · 2.8 KB
│ │ └─ 📁 mixed
│ │ └─ 🔧 setup.sh Shell 88L · 2.3 KB
│ └─ 📋 evals.json JSON 72L · 4.5 KB
├─ 📄 LICENSE.txt Text 162L · 8.9 KB
└─ 📝 SKILL.md Markdown 132L · 8.3 KB

Security Positives

✓ All Phase 3 findings are validated against actual code before reporting (Phase 4)
✓ Skill requires explicit user approval before making any fixes (Phase 5)
✓ No sensitive file paths accessed (~/.ssh, ~/.aws, .env)
✓ No credential harvesting or exfiltration detected
✓ No obfuscation, reverse shell, or C2 patterns
✓ No base64/eval execution or suspicious URL/IP contact
✓ evals/ fixtures are isolated test repositories created in temp directories
✓ Skill is a pure code review tool with well-scoped, legitimate behavior